init.rc revision adf0d1bbfa4bc560c2106f14afa8258a11c48bf6
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.environ.rc 8import /init.usb.rc 9import /init.${ro.hardware}.rc 10import /init.${ro.zygote}.rc 11import /init.trace.rc 12 13on early-init 14 # Set init and its forked children's oom_adj. 15 write /proc/1/oom_score_adj -1000 16 17 # Set the security context of /adb_keys if present. 18 restorecon /adb_keys 19 20 start ueventd 21 22 # create mountpoints 23 mkdir /mnt 0775 root system 24 25on init 26 sysclktz 0 27 28 # Backward compatibility. 29 symlink /system/etc /etc 30 symlink /sys/kernel/debug /d 31 32 # Link /vendor to /system/vendor for devices without a vendor partition. 33 symlink /system/vendor /vendor 34 35 # Create cgroup mount point for cpu accounting 36 mkdir /acct 37 mount cgroup none /acct cpuacct 38 mkdir /acct/uid 39 40 # Create cgroup mount point for memory 41 mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000 42 mkdir /sys/fs/cgroup/memory 0750 root system 43 mount cgroup none /sys/fs/cgroup/memory memory 44 write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 45 chown root system /sys/fs/cgroup/memory/tasks 46 chmod 0660 /sys/fs/cgroup/memory/tasks 47 mkdir /sys/fs/cgroup/memory/sw 0750 root system 48 write /sys/fs/cgroup/memory/sw/memory.swappiness 100 49 write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1 50 chown root system /sys/fs/cgroup/memory/sw/tasks 51 chmod 0660 /sys/fs/cgroup/memory/sw/tasks 52 53 mkdir /system 54 mkdir /data 0771 system system 55 mkdir /cache 0770 system cache 56 mkdir /config 0500 root root 57 58 # See storage config details at http://source.android.com/tech/storage/ 59 mkdir /mnt/shell 0700 shell shell 60 mkdir /mnt/media_rw 0700 media_rw media_rw 61 mkdir /storage 0751 root sdcard_r 62 63 # Directory for putting things only root should see. 64 mkdir /mnt/secure 0700 root root 65 66 # Directory for staging bindmounts 67 mkdir /mnt/secure/staging 0700 root root 68 69 # Directory-target for where the secure container 70 # imagefile directory will be bind-mounted 71 mkdir /mnt/secure/asec 0700 root root 72 73 # Secure container public mount points. 74 mkdir /mnt/asec 0700 root system 75 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 76 77 # Filesystem image public mount points. 78 mkdir /mnt/obb 0700 root system 79 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 80 81 # memory control cgroup 82 mkdir /dev/memcg 0700 root system 83 mount cgroup none /dev/memcg memory 84 85 write /proc/sys/kernel/panic_on_oops 1 86 write /proc/sys/kernel/hung_task_timeout_secs 0 87 write /proc/cpu/alignment 4 88 write /proc/sys/kernel/sched_latency_ns 10000000 89 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 90 write /proc/sys/kernel/sched_compat_yield 1 91 write /proc/sys/kernel/sched_child_runs_first 0 92 write /proc/sys/kernel/randomize_va_space 2 93 write /proc/sys/kernel/kptr_restrict 2 94 write /proc/sys/vm/mmap_min_addr 32768 95 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 96 write /proc/sys/net/unix/max_dgram_qlen 300 97 write /proc/sys/kernel/sched_rt_runtime_us 950000 98 write /proc/sys/kernel/sched_rt_period_us 1000000 99 100 # reflect fwmark from incoming packets onto generated replies 101 write /proc/sys/net/ipv4/fwmark_reflect 1 102 write /proc/sys/net/ipv6/fwmark_reflect 1 103 104 # set fwmark on accepted sockets 105 write /proc/sys/net/ipv4/tcp_fwmark_accept 1 106 107 # Create cgroup mount points for process groups 108 mkdir /dev/cpuctl 109 mount cgroup none /dev/cpuctl cpu 110 chown system system /dev/cpuctl 111 chown system system /dev/cpuctl/tasks 112 chmod 0666 /dev/cpuctl/tasks 113 write /dev/cpuctl/cpu.shares 1024 114 write /dev/cpuctl/cpu.rt_runtime_us 800000 115 write /dev/cpuctl/cpu.rt_period_us 1000000 116 117 mkdir /dev/cpuctl/bg_non_interactive 118 chown system system /dev/cpuctl/bg_non_interactive/tasks 119 chmod 0666 /dev/cpuctl/bg_non_interactive/tasks 120 # 5.0 % 121 write /dev/cpuctl/bg_non_interactive/cpu.shares 52 122 write /dev/cpuctl/bg_non_interactive/cpu.rt_runtime_us 700000 123 write /dev/cpuctl/bg_non_interactive/cpu.rt_period_us 1000000 124 125 # qtaguid will limit access to specific data based on group memberships. 126 # net_bw_acct grants impersonation of socket owners. 127 # net_bw_stats grants access to other apps' detailed tagged-socket stats. 128 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 129 chown root net_bw_stats /proc/net/xt_qtaguid/stats 130 131 # Allow everybody to read the xt_qtaguid resource tracking misc dev. 132 # This is needed by any process that uses socket tagging. 133 chmod 0644 /dev/xt_qtaguid 134 135 # Create location for fs_mgr to store abbreviated output from filesystem 136 # checker programs. 137 mkdir /dev/fscklogs 0770 root system 138 139 # pstore/ramoops previous console log 140 mount pstore pstore /sys/fs/pstore 141 chown system log /sys/fs/pstore/console-ramoops 142 chmod 0440 /sys/fs/pstore/console-ramoops 143 chown system log /sys/fs/pstore/pmsg-ramoops-0 144 chmod 0440 /sys/fs/pstore/pmsg-ramoops-0 145 146 # enable armv8_deprecated instruction hooks 147 write /proc/sys/abi/swp 1 148 149# Healthd can trigger a full boot from charger mode by signaling this 150# property when the power button is held. 151on property:sys.boot_from_charger_mode=1 152 class_stop charger 153 trigger late-init 154 155# Load properties from /system/ + /factory after fs mount. 156on load_all_props_action 157 load_all_props 158 start logd-reinit 159 160# Indicate to fw loaders that the relevant mounts are up. 161on firmware_mounts_complete 162 rm /dev/.booting 163 164# Mount filesystems and start core system services. 165on late-init 166 trigger early-fs 167 trigger fs 168 trigger post-fs 169 trigger post-fs-data 170 171 # Load properties from /system/ + /factory after fs mount. Place 172 # this in another action so that the load will be scheduled after the prior 173 # issued fs triggers have completed. 174 trigger load_all_props_action 175 176 # Remove a file to wake up anything waiting for firmware. 177 trigger firmware_mounts_complete 178 179 trigger early-boot 180 trigger boot 181 182 183on post-fs 184 start logd 185 # once everything is setup, no need to modify / 186 mount rootfs rootfs / ro remount 187 # mount shared so changes propagate into child namespaces 188 mount rootfs rootfs / shared rec 189 190 # We chown/chmod /cache again so because mount is run as root + defaults 191 chown system cache /cache 192 chmod 0770 /cache 193 # We restorecon /cache in case the cache partition has been reset. 194 restorecon_recursive /cache 195 196 # This may have been created by the recovery system with odd permissions 197 chown system cache /cache/recovery 198 chmod 0770 /cache/recovery 199 200 #change permissions on vmallocinfo so we can grab it from bugreports 201 chown root log /proc/vmallocinfo 202 chmod 0440 /proc/vmallocinfo 203 204 chown root log /proc/slabinfo 205 chmod 0440 /proc/slabinfo 206 207 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 208 chown root system /proc/kmsg 209 chmod 0440 /proc/kmsg 210 chown root system /proc/sysrq-trigger 211 chmod 0220 /proc/sysrq-trigger 212 chown system log /proc/last_kmsg 213 chmod 0440 /proc/last_kmsg 214 215 # make the selinux kernel policy world-readable 216 chmod 0444 /sys/fs/selinux/policy 217 218 # create the lost+found directories, so as to enforce our permissions 219 mkdir /cache/lost+found 0770 root root 220 221on post-fs-data 222 installkey /data 223 224 # We chown/chmod /data again so because mount is run as root + defaults 225 chown system system /data 226 chmod 0771 /data 227 # We restorecon /data in case the userdata partition has been reset. 228 restorecon /data 229 230 # Start bootcharting as soon as possible after the data partition is 231 # mounted to collect more data. 232 mkdir /data/bootchart 0755 shell shell 233 bootchart_init 234 235 # Avoid predictable entropy pool. Carry over entropy from previous boot. 236 copy /data/system/entropy.dat /dev/urandom 237 238 # create basic filesystem structure 239 mkdir /data/misc 01771 system misc 240 mkdir /data/misc/adb 02750 system shell 241 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 242 mkdir /data/misc/bluetooth 0770 system system 243 mkdir /data/misc/keystore 0700 keystore keystore 244 mkdir /data/misc/gatekeeper 0700 system system 245 mkdir /data/misc/keychain 0771 system system 246 mkdir /data/misc/net 0750 root shell 247 mkdir /data/misc/radio 0770 system radio 248 mkdir /data/misc/sms 0770 system radio 249 mkdir /data/misc/zoneinfo 0775 system system 250 mkdir /data/misc/vpn 0770 system vpn 251 mkdir /data/misc/shared_relro 0771 shared_relro shared_relro 252 mkdir /data/misc/systemkeys 0700 system system 253 mkdir /data/misc/wifi 0770 wifi wifi 254 mkdir /data/misc/wifi/sockets 0770 wifi wifi 255 mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi 256 mkdir /data/misc/ethernet 0770 system system 257 mkdir /data/misc/dhcp 0770 dhcp dhcp 258 mkdir /data/misc/user 0771 root root 259 # give system access to wpa_supplicant.conf for backup and restore 260 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 261 mkdir /data/local 0751 root root 262 mkdir /data/misc/media 0700 media media 263 264 # For security reasons, /data/local/tmp should always be empty. 265 # Do not place files or directories in /data/local/tmp 266 mkdir /data/local/tmp 0771 shell shell 267 mkdir /data/data 0771 system system 268 mkdir /data/app-private 0771 system system 269 mkdir /data/app-asec 0700 root root 270 mkdir /data/app-lib 0771 system system 271 mkdir /data/app 0771 system system 272 mkdir /data/property 0700 root root 273 mkdir /data/tombstones 0771 system system 274 275 # create dalvik-cache, so as to enforce our permissions 276 mkdir /data/dalvik-cache 0771 root root 277 mkdir /data/dalvik-cache/profiles 0711 system system 278 279 # create resource-cache and double-check the perms 280 mkdir /data/resource-cache 0771 system system 281 chown system system /data/resource-cache 282 chmod 0771 /data/resource-cache 283 284 # create the lost+found directories, so as to enforce our permissions 285 mkdir /data/lost+found 0770 root root 286 287 # create directory for DRM plug-ins - give drm the read/write access to 288 # the following directory. 289 mkdir /data/drm 0770 drm drm 290 291 # create directory for MediaDrm plug-ins - give drm the read/write access to 292 # the following directory. 293 mkdir /data/mediadrm 0770 mediadrm mediadrm 294 295 mkdir /data/adb 0700 root root 296 297 # symlink to bugreport storage location 298 symlink /data/data/com.android.shell/files/bugreports /data/bugreports 299 300 # Separate location for storing security policy files on data 301 mkdir /data/security 0711 system system 302 303 # Create all remaining /data root dirs so that they are made through init 304 # and get proper encryption policy installed 305 mkdir /data/backup 0700 system system 306 mkdir /data/media 0770 media_rw media_rw 307 mkdir /data/ss 0700 system system 308 mkdir /data/system 0775 system system 309 mkdir /data/system/heapdump 0700 system system 310 mkdir /data/user 0711 system system 311 312 # Reload policy from /data/security if present. 313 setprop selinux.reload_policy 1 314 315 # Set SELinux security contexts on upgrade or policy update. 316 restorecon_recursive /data 317 318 # Check any timezone data in /data is newer than the copy in /system, delete if not. 319 exec u:r:tzdatacheck:s0 system system -- /system/bin/tzdatacheck /system/usr/share/zoneinfo /data/misc/zoneinfo 320 321 # If there is no fs-post-data action in the init.<device>.rc file, you 322 # must uncomment this line, otherwise encrypted filesystems 323 # won't work. 324 # Set indication (checked by vold) that we have finished this action 325 #setprop vold.post_fs_data_done 1 326 327on boot 328 # basic network init 329 ifup lo 330 hostname localhost 331 domainname localdomain 332 333 # set RLIMIT_NICE to allow priorities from 19 to -20 334 setrlimit 13 40 40 335 336 # Memory management. Basic kernel parameters, and allow the high 337 # level system server to be able to adjust the kernel OOM driver 338 # parameters to match how it is managing things. 339 write /proc/sys/vm/overcommit_memory 1 340 write /proc/sys/vm/min_free_order_shift 4 341 chown root system /sys/module/lowmemorykiller/parameters/adj 342 chmod 0220 /sys/module/lowmemorykiller/parameters/adj 343 chown root system /sys/module/lowmemorykiller/parameters/minfree 344 chmod 0220 /sys/module/lowmemorykiller/parameters/minfree 345 346 # Tweak background writeout 347 write /proc/sys/vm/dirty_expire_centisecs 200 348 write /proc/sys/vm/dirty_background_ratio 5 349 350 # Permissions for System Server and daemons. 351 chown radio system /sys/android_power/state 352 chown radio system /sys/android_power/request_state 353 chown radio system /sys/android_power/acquire_full_wake_lock 354 chown radio system /sys/android_power/acquire_partial_wake_lock 355 chown radio system /sys/android_power/release_wake_lock 356 chown system system /sys/power/autosleep 357 chown system system /sys/power/state 358 chown system system /sys/power/wakeup_count 359 chown radio system /sys/power/wake_lock 360 chown radio system /sys/power/wake_unlock 361 chmod 0660 /sys/power/state 362 chmod 0660 /sys/power/wake_lock 363 chmod 0660 /sys/power/wake_unlock 364 365 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 366 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 367 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 368 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 369 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 370 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 371 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 372 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 373 chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 374 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 375 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 376 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 377 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 378 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 379 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 380 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 381 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 382 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 383 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 384 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 385 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 386 chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 387 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 388 389 # Assume SMP uses shared cpufreq policy for all CPUs 390 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 391 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 392 393 chown system system /sys/class/timed_output/vibrator/enable 394 chown system system /sys/class/leds/keyboard-backlight/brightness 395 chown system system /sys/class/leds/lcd-backlight/brightness 396 chown system system /sys/class/leds/button-backlight/brightness 397 chown system system /sys/class/leds/jogball-backlight/brightness 398 chown system system /sys/class/leds/red/brightness 399 chown system system /sys/class/leds/green/brightness 400 chown system system /sys/class/leds/blue/brightness 401 chown system system /sys/class/leds/red/device/grpfreq 402 chown system system /sys/class/leds/red/device/grppwm 403 chown system system /sys/class/leds/red/device/blink 404 chown system system /sys/class/timed_output/vibrator/enable 405 chown system system /sys/module/sco/parameters/disable_esco 406 chown system system /sys/kernel/ipv4/tcp_wmem_min 407 chown system system /sys/kernel/ipv4/tcp_wmem_def 408 chown system system /sys/kernel/ipv4/tcp_wmem_max 409 chown system system /sys/kernel/ipv4/tcp_rmem_min 410 chown system system /sys/kernel/ipv4/tcp_rmem_def 411 chown system system /sys/kernel/ipv4/tcp_rmem_max 412 chown root radio /proc/cmdline 413 414 # Define default initial receive window size in segments. 415 setprop net.tcp.default_init_rwnd 60 416 417 class_start core 418 419on nonencrypted 420 class_start main 421 class_start late_start 422 423on property:vold.decrypt=trigger_default_encryption 424 start defaultcrypto 425 426on property:vold.decrypt=trigger_encryption 427 start surfaceflinger 428 start encrypt 429 430on property:sys.init_log_level=* 431 loglevel ${sys.init_log_level} 432 433on charger 434 class_start charger 435 436on property:vold.decrypt=trigger_reset_main 437 class_reset main 438 439on property:vold.decrypt=trigger_load_persist_props 440 load_persist_props 441 start logd-reinit 442 443on property:vold.decrypt=trigger_post_fs_data 444 trigger post-fs-data 445 446on property:vold.decrypt=trigger_restart_min_framework 447 class_start main 448 449on property:vold.decrypt=trigger_restart_framework 450 installkey /data 451 class_start main 452 class_start late_start 453 454on property:vold.decrypt=trigger_shutdown_framework 455 class_reset late_start 456 class_reset main 457 458on property:sys.powerctl=* 459 powerctl ${sys.powerctl} 460 461# system server cannot write to /proc/sys files, 462# and chown/chmod does not work for /proc/sys/ entries. 463# So proxy writes through init. 464on property:sys.sysctl.extra_free_kbytes=* 465 write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes} 466 467# "tcp_default_init_rwnd" Is too long! 468on property:sys.sysctl.tcp_def_init_rwnd=* 469 write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd} 470 471 472## Daemon processes to be run by init. 473## 474service ueventd /sbin/ueventd 475 class core 476 critical 477 seclabel u:r:ueventd:s0 478 479service logd /system/bin/logd 480 class core 481 socket logd stream 0666 logd logd 482 socket logdr seqpacket 0666 logd logd 483 socket logdw dgram 0222 logd logd 484 485service logd-reinit /system/bin/logd --reinit 486 start logd 487 oneshot 488 disabled 489 490service healthd /sbin/healthd 491 class core 492 critical 493 seclabel u:r:healthd:s0 494 495service console /system/bin/sh 496 class core 497 console 498 disabled 499 user shell 500 group shell log 501 seclabel u:r:shell:s0 502 503on property:ro.debuggable=1 504 start console 505 506# adbd is controlled via property triggers in init.<platform>.usb.rc 507service adbd /sbin/adbd --root_seclabel=u:r:su:s0 508 class core 509 socket adbd stream 660 system system 510 disabled 511 seclabel u:r:adbd:s0 512 513# adbd on at boot in emulator 514on property:ro.kernel.qemu=1 515 start adbd 516 517service lmkd /system/bin/lmkd 518 class core 519 critical 520 socket lmkd seqpacket 0660 system system 521 522service servicemanager /system/bin/servicemanager 523 class core 524 user system 525 group system 526 critical 527 onrestart restart healthd 528 onrestart restart zygote 529 onrestart restart media 530 onrestart restart surfaceflinger 531 onrestart restart drm 532 533service vold /system/bin/vold 534 class core 535 socket vold stream 0660 root mount 536 ioprio be 2 537 538service netd /system/bin/netd 539 class main 540 socket netd stream 0660 root system 541 socket dnsproxyd stream 0660 root inet 542 socket mdns stream 0660 root system 543 socket fwmarkd stream 0660 root inet 544 545service debuggerd /system/bin/debuggerd 546 class main 547 548service debuggerd64 /system/bin/debuggerd64 549 class main 550 551service ril-daemon /system/bin/rild 552 class main 553 socket rild stream 660 root radio 554 socket rild-debug stream 660 radio system 555 user root 556 group radio cache inet misc audio log 557 558service surfaceflinger /system/bin/surfaceflinger 559 class core 560 user system 561 group graphics drmrpc 562 onrestart restart zygote 563 564service drm /system/bin/drmserver 565 class main 566 user drm 567 group drm system inet drmrpc 568 569service media /system/bin/mediaserver 570 class main 571 user media 572 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm 573 ioprio rt 4 574 575# One shot invocation to deal with encrypted volume. 576service defaultcrypto /system/bin/vdc --wait cryptfs mountdefaultencrypted 577 disabled 578 oneshot 579 # vold will set vold.decrypt to trigger_restart_framework (default 580 # encryption) or trigger_restart_min_framework (other encryption) 581 582# One shot invocation to encrypt unencrypted volumes 583service encrypt /system/bin/vdc --wait cryptfs enablecrypto inplace default 584 disabled 585 oneshot 586 # vold will set vold.decrypt to trigger_restart_framework (default 587 # encryption) 588 589service bootanim /system/bin/bootanimation 590 class core 591 user graphics 592 group graphics audio 593 disabled 594 oneshot 595 596service installd /system/bin/installd 597 class main 598 socket installd stream 600 system system 599 600service flash_recovery /system/bin/install-recovery.sh 601 class main 602 oneshot 603 604service racoon /system/bin/racoon 605 class main 606 socket racoon stream 600 system system 607 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 608 group vpn net_admin inet 609 disabled 610 oneshot 611 612service mtpd /system/bin/mtpd 613 class main 614 socket mtpd stream 600 system system 615 user vpn 616 group vpn net_admin inet net_raw 617 disabled 618 oneshot 619 620service keystore /system/bin/keystore /data/misc/keystore 621 class main 622 user keystore 623 group keystore drmrpc 624 625service dumpstate /system/bin/dumpstate -s 626 class main 627 socket dumpstate stream 0660 shell log 628 disabled 629 oneshot 630 631service mdnsd /system/bin/mdnsd 632 class main 633 user mdnsr 634 group inet net_raw 635 socket mdnsd stream 0660 mdnsr inet 636 disabled 637 oneshot 638 639service pre-recovery /system/bin/uncrypt 640 class main 641 disabled 642 oneshot 643